Matrix Posted October 15, 2019 Share Posted October 15, 2019 The big picture: As trade tensions between China and the US continue to make headlines, Apple has found itself in the general conversation once again. Apparently, the company shares some data with a Chinese tech giant, which has led some to believe that it isn't able to hold up to its high standards for privacy. While most people would take that as "Apple bowing to China," it's more important to reflect on the fact that we don't live in an ideal world where things are that simple. Most may not be aware of it, but Apple's web browser has been sending data to Google Safe Browsing for years. This is done to protect users against phishing scams, by using an interstitial screen that prevents you from visiting a known fraudulent website from Google's list. Now it appears that for everyone running the latest version of iOS, Apple is sending some of your web browsing history to Chinese Internet giant Tencent. This has sent critics up in flames about the potential privacy implications, especially since the feature is enabled by default and requires some digging to find it. If you go to Settings > Safari, you'll find some small print that has recently been changed to say that "before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address." Cryptography expert Matthew Green explains that this poses a privacy risk because it could reveal both your IP address as well as the web pages you are visiting. He says there's also a great possibility that Google "may drop a cookie into your browser during some of these requests." This essentially means that someone could use this information to piece together a profile of your browsing behavior. Fortunately, Google has made some changes to the relevant API that should, in theory, provide anonymity using a locally stored database which contains hashes instead of the actual addresses of known malicious websites. Every time you visit a new website, Safari will hash the URL and check if it matches something from the local database. However, this approach isn't perfect. As you visit hundreds or even thousands of websites over time, you gradually leak your browsing history. It's also worth noting that you need to trust Google not to make use of this vulnerability. The company is already under investigation by the Irish Data Protection Commission under allegations that it may have been circumventing GDPR rules to perform a more subtle form of data mining for advertisers. The good news is you can easily turn off the "Fraudulent Website Warning" feature in Settings under Safari, but this still doesn't explain why Apple didn't see the need to be more transparent about it. The company released a statement to say that Tencent is only used as a source for the list of fraudulent websites if the region setting on the device is set to mainland China. This isn't the first time the company has been criticized for working with a Chinese entity to handle sensitive data. Last year it transfered iCloud servers for Chinese users to a state-run company, which yielded similar privacy concerns. More recently, Apple has been under fire for its somewhat peculiar relationship with China. CEO Tim Cook had to defend the company's stance after it removed a Hong Kong protest app from the App Store, a move that led many to believe Apple may be favoring Chinese interests as a way to appease the government of its third largest market. VIEW: Original Article. Link to comment Share on other sites More sharing options...
steven36 Posted October 15, 2019 Share Posted October 15, 2019 Apple explains how Safari's recent Safe Browsing update works -- following a slew of misleading media reports. Apple has issued a statement today following a slew of misleading and poorly-researched media reports that were published over the weekend, claiming that the Safari web browser was secretly sending user traffic to Chinese company Tencent. All the reports were anchored in a recent discovery that Apple had implemented a second "safe browsing" system within Safari. Safe browsing mechanisms were named so after Google's Safe Browsing service. They work by taking a URL a user is trying to access and checking it against a database of known bad sites. For years, Apple has used Google's Safe Browsing API inside Safari to check for bad links. Starting earlier this year, Apple also added Tencent's safe browsing system to Apple as well. But this update has been misinterpreted by several news outlets over the weekend under scary headlines of "Apple sends users' web browsing history to China," amid a recent rise in Chinese anti-sentiment and fearmongering triggered by the recent Hong Kong protests and the US-Sino trade war. However, the reality is that this is not how modern safe browsing mechanisms work. It's true that early versions of safe browsing mechanisms did rely on sending a URL over the internet to a "safe browsing provider" where the link was checked against a remote database of malicious sites. But, nowadays, most safe browsing mechanisms, such as those managed by Google and Tencent, work by sending a copy of the database to a user's browser and letting the browser check the URL against this local database. According to Apple, this is also how Apple developers have implemented Safari's safe browsing mechanism -- to never send the user's internet browsing traffic to safe browsing providers. Tencent's safe browsing used only for devices with Chinese locale Furthermore, as several developers have also pointed out over the weekend, Tencent is not the default safe browsing provider. Tencent is only used on devices where the Chinese locale is enabled [1, 2, 3]. The reasoning behind supporting Tencent is quite simple -- the Chinese government bans Google domains inside China; hence, Safari users in China wouldn't be able to receive Google's database of malicious links and subsequent updates. Apple added support for Tencent as an alternative safe browsing provider specifically for Chinese users. It did so in order to keep its Chinese userbase safe, similar to everyone else, and show alerts whenever one of them might end up wandering off and landing on a bad site. Below is Apple's full statement: Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off. Source Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.